Verifying Asynchronous Event-DrivenPrograms Using Partial Abstract

Transformers

Peizun Liu1(B), Thomas Wahl1,and Akash Lal2

1 Northeastern University, Boston, USAlpzun@ccs.neu.edu

2 Microsoft Research, Bangalore, India

Abstract. We address the problem of analyzing asynchronous event-driven programs, in which concurrent agents communicate viaunbounded message queues. The safety verification problem for such pro-grams is undecidable. We present in this paper a technique that combinesqueue-bounded exploration with a convergence test : if the sequence of cer-tain abstractions of the reachable states, for increasing queue bounds k,converges, we can prove any property of the program that is preserved bythe abstraction. If the abstract state space is finite, convergence is guar-anteed ; the challenge is to catch the point kmax where it happens. Wefurther demonstrate how simple invariants formulated over the concretedomain can be used to eliminate spurious abstract states, which other-wise prevent the sequence from converging. We have implemented ourtechnique for the P programming language for event-driven programs.We show experimentally that the sequence of abstractions often con-verges fully automatically, in hard cases with minimal designer supportin the form of sequentially provable invariants, and that this happens fora value of kmax small enough to allow the method to succeed in practice.

1 Introduction

Asynchronous event-driven (AED) programming refers to a style of programmingmulti-agent applications. The agents communicate shared work via messages.Each agent waits for a message to arrive, and then processes it, possibly sendingmessages to other agents, in order to collectively achieve a goal. This program-ming style is common for distributed systems as well as low-level designs such asdevice drivers [11]. Getting such applications right is an arduous task, due to theinherent concurrency: the programmer must defend against all possible interleav-ings of messages between agents. In response to this challenge, recent years haveseen multiple approaches to verifying AED-like programs, e.g. by delaying sendactions, or temporarily bounding their number (to keep queue sizes small) [7,10],

Work supported by the US National Science Foundation under Grant No. 1253331,and by Microsoft Research India while hosting the second author for a sabbatical.

c© The Author(s) 2019I. Dillig and S. Tasiran (Eds.): CAV 2019, LNCS 11562, pp. 386–404, 2019.https://doi.org/10.1007/978-3-030-25543-5_22

Verifying AED Programs Using Partial Abstract Transformers 387

or by reasoning about a small number of representative execution schedules, toavoid interleaving explosion [5].

In this paper we consider the P language for AED programming [11]. A P pro-gram consists of multiple state machines running in parallel. Each machine hasa local store, and a message queue through which it receives events from othermachines. P allows the programmer to formulate safety specifications via a state-ment that asserts some predicate over the local state of a single machine. Verify-ing such reachability properties of course requires reasoning over global systembehavior and is, for unbounded-queue P programs, undecidable [8].

The unboundedness of the reachable state space does not prevent the use oftesting tools that try to explore as much of the state space as possible [3,6,11,13]in the quest for bugs. Somewhat inspired by this kind of approach, the goal of thispaper is a verification technique that can (sometimes) prove a safety property,despite exploring only a finite fraction of that space. Our approach is as follows.Assuming that the machines’ queues are the only source of unboundedness, weconsider a bound k on the queue size, and exhaustively compute the reachablestates Rk of the resulting finite-state problem, checking the local assertion Φalong the way. We then increase the queue bound until (an error is found, or) wereach some point kmax of convergence: a point that allows us to conclude thatincreasing k further is not required to prove Φ.

What kind of “convergence” are we targeting? We design a sequence (Rk)∞k=0

of abstractions of each reachability set over a finite abstract state space. Due tothe monotonicity of sequence (Rk)∞

k=0, this ensures convergence, i.e. the existenceof kmax such that RK = Rkmax for all K ≥ kmax. Provided that an abstract statesatisfies Φ exactly if all its concretizations do, we have: if all abstract states inRkmax comply with Φ, then so do all reachable concrete states of P—we haveproved the property.

We implement this strategy using an abstraction function α with a finiteco-domain that leaves the local state of a machine unchanged and maintainsthe first occurrence of each event in the queue; repeat occurrences are dropped.This abstraction preserves properties over the local state and the head of thequeue, i.e. the visible (to the machine) part of the state space, which is typicallysufficient to express reachability properties.

The second major step in our approach is the detection of the point of con-vergence of (Rk)∞

k=0: We show that, for the best abstract transformer Im [9,27,see Sect. 4.2], if Im(Rk) ⊆ Rk, then RK = Rk for all K ≥ k. In fact, we have astronger result: under an easy-to-enforce condition, it suffices to consider abstractdequeue operations: all others, namely enqueue and local actions, never lead toabstract states in Rk+1 \ Rk. The best abstract transformer for dequeue actionsis efficiently implementable for a given P program.

It is of course possible that the convergence condition Im(Rk) ⊆ Rk neverholds (the problem is undecidable). This manifests in the presence of a spuriousabstract state in the image produced by Im, i.e. one whose concretization doesnot contain any reachable state. Our third contribution is a technique to assistusers in eliminating such states, enhancing the chances for convergence. We

388 P. Liu et al.

have observed that spurious abstract states are often due to violations of simplemachine invariants: invariants that do not depend on the behavior of othermachines. By their nature, they can be proved using a cheap sequential analysis.

We can eliminate an abstract state (e.g. produced by Im) if all its concretiza-tions violate a machine invariant. In this paper, we propose a domain-specifictemporal logic to express invariants over machines with event queues and, moreimportantly, an algorithm that decides the above abstract queue invariant check-ing problem, by reducing it efficiently to a plain model checking problem. Wehave used this technique to ensure the convergence in “hard” cases that otherwisedefy convergence of the abstract reachable states sequence.

We have implemented our technique for the P language and empirically eval-uated it on an extensive set of benchmark programs. The experimental resultssupport the following conclusions: (i) for our benchmark programs, the sequenceof abstractions often converges fully automatically, in hard cases with minimaldesigner support in the form of separately dischargeable invariants; (ii) almost allexamples converge at a small value of kmax; and (iii) the overhead our techniqueadds to the bounding technique is small: the bulk is spent on the exhaustivebounded exploration itself.

Proofs and other supporting material can be found in the Appendix of [23].

2 Overview

We illustrate the main ideas of this paper using an example in the P language.A machine in a P program consists of multiple states. Each state defines an entrycode block that is executed when the machine enters the state. The state alsodefines handlers for each event type e that it is prepared to receive. A handlercan either be on e do foo (executing foo on receiving e), or ignore e (dequeuingand dropping e). A state can also have a defer e declaration; the semantics is thata machine dequeues the first non-deferred event in its queue. As a result, a queuein a P program is not strictly FIFO. This relaxation is an important feature ofP that helps programmers express their logic compactly [11]. Figure 1 shows a Pprogram named PiFl , in which a Sender (eventually) floods a Receiver’s queuewith Ping events. This queue is the only source of unboundedness in PiFl .

A critical property for P programs is (bounded) responsiveness: the receivingmachine must have a handler (e.g. on, defer, ignore) for every event arriving at thequeue head; otherwise the event will come as a “surprise” and crash the machine.To prove responsiveness for PiFl , we have to demonstrate (among others) thatin state Ignore it, the Done event is never at the head of the Receiver’s queue.We cannot perform exhaustive model checking, since the set of reachable statesis infinite. Instead, we will compute a conservative abstraction of this set that isprecise enough to rule out Done events at the queue head in this state.

We first define a suitable abstraction function α that collapses repeated occur-rences of events to each event’s first occurrence. For instance, the queue

Q = Prime.Prime.Prime.Done.Ping.Ping.Ping.Ping (1)

Verifying AED Programs Using Partial Abstract Transformers 389

Fig. 1. PiFl : a Ping-Flood scenario. The Sender and the Receiver communicate viaevents of types Prime, Done, and Ping. After sending some Prime events and oneDone, the Sender floods the Receiver with Pings. The Receiver initially defers Primes.Upon receiving Done it enters a state in which it ignores Ping.

will be abstracted to Q = α(Q) = Prime.Done.Ping. The finite number ofpossible abstract queues is 1 + 3 + 3 · 2 + 3 · 2 · 1 = 16. The abstraction preservesthe head of the queue. This and the machine state has enough information tocheck responsiveness.

We now generate the sequence Rk of abstractions of the reachable statessets Rk for queue size bounds k = 0, 1, 2, . . ., by computing each finite set Rk,and then Rk as α(Rk). The obtained monotone sequence (Rk)∞

k=0 over a finitedomain will eventually converge, but we must prove that it has. This is doneby applying the best abstract transformer Im, restricted to dequeue operations(defined in Sect. 4.2), to the current set Rk, and confirming that the result iscontained in Rk.

As it turns out, the confirmation fails for the PiFl program: k = 5 marksthe first time set Rk repeats, i.e. R4 = R5, so we are motivated to run theconvergence test. Unfortunately we find a state s ∈ Im(R5)\R5, preventingconvergence. Our approach now offers two remedies to this dilemma. One is torefine the queue abstraction. In our implementation, function α is really αp,for a parameter p that denotes the size of the prefix of the queue that is keptunchanged by the abstraction. For example, for the queue from Eq. (1) we haveα4(Q) = Prime.Prime.Prime.Done | Ping, where | separates the prefix fromthe “infinite tail” of the abstract queue. This (straightforward) refinement main-tains finiteness of the abstraction and increases precision, by revealing that thequeue starts with three Prime events. Re-running the analysis for the PiFlprogram with p = 4, at k = 5 we find Im(R5) ⊆ R5, and the proof is complete.

The second remedy to the failed convergence test dilemma is more powerfulbut also less automatic. Let’s revert to prefix p = 0 and inspect the abstractstate s ∈ Im(R5) \ R5 that foils the test. We find that it features a Done eventfollowed by a Prime event in the Receiver’s queue. A simple static analysis of theSender’s machine in isolation shows that it permits no path from the send Done

390 P. Liu et al.

to the send Prime statement. The behavior of other machines is irrelevant forthis invariant; we call it a machine invariant. We pass the invariant to our toolvia the command line using the expression

G (Done ⇒ G¬Prime) (2)

in a temporal-logic like notation called QuTL (Sect. 5.1), where G universallyquantifies over all queue entries. Our tool includes a QuTL checker that deter-mines that every concretization of s violates property (2), concluding that sis spurious and can be discarded. This turns out to be sufficient for convergence.

3 Queue-(Un)Bounded Reachability Analysis

Communicating Queue Systems. We consider P programs consisting of afixed and known number n of machines communicating via event passing throughunbounded FIFO queues.1 For simplicity, we assume the machines are createdat the start of the program; dynamic creation at a later time can be simulatedby having the machine ignore all events until it receives a special creation event.

We model such a program as a communicating queue system (CQS). For-mally, given n ∈ N, a CQS Pn is a collection of n queue automata (QA)Pi = (Σ,Li,Act i,Δi, �

Ii ), 1 ≤ i ≤ n. A QA consists of a finite queue alpha-

bet Σ shared by all QA, a finite set Li of local states, a finite set Act i of actionlabels, a finite set Δi ⊆ Li × (Σ ∪ {ε}) × Act i × Li × (Σ ∪ {ε}) of transitions,and an initial local state �I

i ∈ Li. An action label act ∈ Act i is of the form

– act ∈ {deq , loc}, denoting an action internal to Pi (no other QA involved)that either dequeues an event (deq), or updates its local state (loc); or

– act = !(e, j), for e ∈ Σ, j ∈ {1, . . . , n}, denoting a transmission, where Pi

(the sender) adds event e to the end of the queue of Pj (the receiver).

The individual QA of a CQS model machines of a P program; hence we referto QA states as machine states. A transmit action is the only communicationmechanism among the QA.

Semantics. A machine state m of a QA is of the form (�,Q) ∈ L × Σ∗; statemI = (�I , ε) is initial. We define machine transitions corresponding to internalactions as follows (transmit actions are defined later at the global level):

(�, ε) loc→ (�′, ε) ∈ Δ

(�,Q) → (�′,Q)for �, �′ ∈ L, Q ∈ Σ∗ (local)

(�, e)deq→ (�′, ε) ∈ Δ

(�, eQ) → (�′,Q)for �, �′ ∈ L, e ∈ Σ, Q ∈ Σ∗ (dequeue)

1 The P language permits unbounded machine creation, a feature that we do not allowhere and that is not used in any of the benchmarks we are aware of.

Verifying AED Programs Using Partial Abstract Transformers 391

A (global) state s of a CQS is a tuple 〈(�1,Q1), . . . , (�n,Qn)〉 where (�i,Qi) ∈Li × Σ∗ for i ∈ {1, . . . , n}. State sI = 〈(�I

1, ε), . . . , (�In, ε)〉 is initial. We extend

the machine transition relation → to states as follows:

〈(�1,Q1), . . . , (�n,Qn)〉 → 〈(�′1,Q′

1), . . . , (�′n,Q′

n)〉if there exists i ∈ {1, . . . , n} such that one of the following holds:

(internal) (�i,Qi) → (�′i,Q′

i), and for all k ∈ {1, . . . , n}\{i}, �k = �′k, Qk = Q′

k;(transmission) there exists j ∈ {1, . . . , n} and e ∈ Σ such that:

1. (�i, ε)!(e,j)−−−→ (�′

i, ε) ∈ Δi;2. Q′

j = Qje;3. �′

k = �k for all k ∈ {1, . . . , n} \ {i}; and4. Q′

k = Qk for all k ∈ {1, . . . , n} \ {j}.

The execution model of a CQS is strictly interleaving. That is, in each step, oneof the two above transitions (internal) or (transmission) is performed for anondeterministically chosen machine i.

Queue-Bounded and Queue-Unbounded Reachability. Given a CQS Pn,a state s = 〈(�1,Q1), . . . , (�n,Qn)〉, and a number k, the queue-bounded reacha-bility problem (for s and k) determines whether s is reachable under queue boundk, i.e. whether there exists a path s0 → s1 . . . → sz such that s0 = sI , sz = s, andfor i ∈ {0, . . . , z}, all queues in state si have at most k events. Queue-boundedreachability for k is trivially decidable, by making enqueue actions for queues ofsize k blocking (the sender cannot continue), which results in a finite state space.We write Rk = {s : s is reachable under queue bound k}.

Queue-bounded reachability will be used in this paper as a tool for solving ouractual problem of interest: Given a CQS Pn and a state s, the Queue-UnBoundedreachability Analysis (QUBA) problem determines whether s is reachable, i.e.whether there exists a (queue-unbounded) path from sI to s. The QUBA problemis undecidable [8]. We write R (=

⋃k∈N

Rk) for the set of reachable states.

4 Convergence via Partial Abstract Transformers

In this section, we formalize our approach to detecting the convergence of asuitable sequence of observations about the states Rk reachable under k-boundedsemantics. We define the observations as abstractions of those states, resultingin sets Rk. We then investigate the convergence of the sequence (Rk)∞

k=0.

4.1 List Abstractions of Queues

Our abstraction function applies to queues, as defined below. Its action onmachine and system states then follows from the hierarchical design of a CQS.Let |Q| denote the number of events in Q, and Q[i] the ith event in Q(0 ≤ i < |Q|).

392 P. Liu et al.

Definition 1. For a parameter p ∈ N, the list abstraction function αp : Σ∗ �→Σ∗ is defined as follows:

1. αp(ε) = ε.2. For a non-empty queue Q = P · e,

αp(Q) ={

αp(P ) if there exists j s.t. p ≤ j < |P | and Q[j] = eαp(P ) · e otherwise . (3)

Intuitively, αp abstracts a queue by leaving its first p events unchanged (anidea also used in [16]). Starting from position p it keeps only the first occur-rence of each event e in the queue, if any; repeat occurrences are dropped.2 Thepreservation of existence and order of the first occurrences of all present eventsmotivates the term list abstraction. An alternative is an abstraction that keepsonly the set (not: list) of queue elements from position p, i.e. it ignores multi-plicity and order. This is by definition less precise than the list abstraction andprovided no efficiency advantages in our experiments. An abstraction that keepsonly the queue head proved cheap but too imprecise.

The motivation for parameter p is that many protocols proceed in roundsof repeating communication patterns, involving a bounded number of messageexchanges. If p exceeds that number, the list abstraction’s loss of informationmay be immaterial.

We write an abstract queue Q = αp(Q) in the form pref |suff s.t. p = |pref |,and refer to pref as Q’s prefix (shared with Q), and suff as Q’s suffix.

Example 2. The queues Q ∈ {bbbba, bbba, bbbaa} are α2-equivalent: α2(Q) =bb |ba.

We extend αp to act on a machine state via αp(�i,Qi) = (�i, αp(Qi)), on astate via αp(s) = 〈(�1, αp(Q1)), . . . , (�n, αp(Qn))〉, and on a set of states point-wise via αp(S) = {αp(s) : s ∈ S}.

Discussion. The abstract state space is finite since the queue prefix is of fixedsize, and each event in the suffix is recorded at most once (the event alphabet isfinite). The sets of reachable abstract states grow monotonously with increasingqueue size bound k, since the sets of reachable concrete states do:

k1 ≤ k2 ⇒ Rk1 ⊆ Rk2 ⇒ αp(Rk1) ⊆ αp(Rk2) .

Finiteness and monotonicity guarantee convergence of the sequence of reachableabstract states.

We say the abstraction function αp respects a property of a state if, for any twoαp-equivalent states (see Example 2), the property holds for both or for neither.Function αp respects properties that refer to the local-state part of a machine, andto the first p + 1 events of its queue (which are preserved by αp). In addition, theproperty may look beyond the prefix and refer to the existence of events in thequeue, but not their frequency or their order after the first occurrence.2 Note that the head of the queue is always preserved by αp, even for p = 0.

Verifying AED Programs Using Partial Abstract Transformers 393

The rich information preserved by the abstraction (despite being finite-state)especially pays off in connection with the defer feature in the P language, whichallows machines to delay handling certain events at the head of a queue [11]. Themachine identifies the first non-deferred event in the queue, a piece of informationthat is precisely preserved by the list abstraction (no matter what p).

Definition 3. Given an abstract queue Q = e0 . . . ep−1 | ep . . . ez−1, the con-cretization function γp : Σ∗ → 2Σ∗

maps Q to the language of the regularexpression

REp(Q) := e0 . . . ep−1ep{ep}∗ep+1{ep, ep+1}∗

. . . ez−1{ep, . . . , ez−1}∗, (4)

i.e. γp(Q) := L(REp(Q)).

As a special case, REp(ε) = ε and so γp(ε) = L(ε) = {ε} for the emptyqueue. We extend γp to act on abstract (machine or global) states in a wayanalogous to the extension of αp, by moving it inside to the queues occurring inthose states.

4.2 Abstract Convergence Detection

Recall that finiteness and monotonicity of the sequence (Rk)∞k=0 guarantee its

convergence, so nothing seems more suggestive than to compute the limit. Wesummarize our overall procedure to do so in Algorithm 1. The procedure iter-atively increases the queue bound k and computes the concrete and (per αp-projection) the abstract reachability sets Rk and Rk. If, for some k, an error isdetected, the procedure terminates (Lines 4–5; in practice implemented as anon-the-fly check).

Algorithm 1. Queue-unbounded reachability analysisInput: CQS with transition relation → , p ∈ N, property Φ respected by αp.1: compute R0; R0 := αp(R0)2: for k := 1 to ∞ do3: compute Rk; Rk := αp(Rk)4: if ∃r ∈ Rk : r �|= Φ then5: return “error reachable with queue bound k”6: if |Rk| = |Rk−1| then7: T := (αp ◦ Imdeq ◦ γp)(Rk) � partial best abstract transformer8: if T ⊆ Rk then9: return “safe for any queue bound”

The key of the algorithm is reflected in Lines 6–9 and is based on the fol-lowing idea (all claims are proved as part of Theorem4 below). If the computa-tion of Rk reveals no new abstract states in round k (Line 6; by monotonicity,

394 P. Liu et al.

“same size” implies “same sets”), we apply the best abstract transformer [9,27]Im := αp ◦ Im→ ◦ γp to Rk: if the result is contained in Rk, the abstract reach-ability sequence has converged. However, we can do better: we can restrict thesuccessor function Im→ of the CQS to dequeue actions, denoted Imdeq in Line 7.The ultimate reason is that firing a local or transmit action on two αp-equivalentstates r and s results again in αp-equivalent states r′ and s′. This fact does nothold for dequeue actions: the successors r′ and s′ of dequeues depend on theabstracted parts of r and s, resp., which may differ and become “visible” duringthe dequeue (e.g. the event behind the queue head moves into the head position).Our main result therefore is: if Rk = Rk−1 and dequeue actions do not createnew abstract states (Lines 7 and 8), sequence (Rk)∞

k=0 has converged:

Theorem 4. If Rk = Rk−1 and T ⊆ Rk, then for any K ≥ k, RK = Rk.

If the sequence of reachable abstract states has converged, then all reachableconcrete states (any k) belong to γp(Rk) (for the current k). Since the abstractionfunction αp respects property Φ, we know that if any reachable concrete stateviolated Φ, so would any other concrete state that maps to the same abstraction.However, for each abstract state in Rk, Line 4 has examined at least one state rin its concretization; a violation was not found. We conclude:

Corollary 5. Line 9 of Algorithm1 correctly asserts that no reachable concretestate of the given CQS violates Φ.

The corollary (along with the earlier statement about Lines 4–5) confirmsthe partial correctness of Algorithm 1. The procedure is, however, necessarilyincomplete: if no error is detected and the convergence condition in Line 8 neverholds, the for loop will run forever.

We conclude this part with two comments. First, note that we do not computethe sets Rk as reachability fixpoints in the abstract domain (i.e. the domainof αp). Instead, we compute the concrete reachability sets first, and then obtainthe Rk via projection (Line 1). The reason is that the projection gives us theexact set of abstractions of reachable concrete states, while an abstract fixpointlikely overapproximates (for instance, the best abstract transformer from Line 7does) and loses precision. Note that a primary motivation for computing abstractfixpoints, namely that the concrete fixpoint may not be computable, does notapply here: the concrete domains are finite, for each k.

Second, we observe that this projection technique comes with a cost: sequence(Rk)∞

k=0 may stutter at intermediate moments: Rk � Rk+1 = Rk+2 � Rk+3.The reason is that Rk+3 is not obtained as a functional image of Rk+2, but byprojection from Rk+3. As a consequence, we cannot short-cut the convergencedetection by just “waiting” for (Rk)∞

k=0 to stabilize, despite the finite domain.

4.3 Computing Partial Best Abstract Transformers

Recall that in Line 7 we compute

T = Imdeq(Rk) = (αp ◦ Imdeq ◦ γp)(Rk) . (5)

Verifying AED Programs Using Partial Abstract Transformers 395

The line applies the best abstract transformer, restricted to dequeue actions,to Rk. This result cannot be computed as defined in (5), since γp(Rk) is typicallyinfinite. However, Rk is finite, so we can iterative over r ∈ Rk, and little informa-tion is actually needed to determine the abstract successors of r. The “infinitefragment” of r remains unchanged, which makes the action implementable.

Formally, let r = (�,Q) with Q = e0e1 . . . ep−1 | epep+1 . . . ez−1. To apply adequeue action to r, we first perform local-state updates on � as required by theaction, resulting in �′. Now consider Q. The first suffix event, ep, moves into theprefix due to the dequeue. We do not know whether there are later occurrencesof ep before or after the first suffix occurrences of ep+1 . . . ez−1. This informationdetermines the possible abstract queues resulting from the dequeue. To computethe exact best abstract transformer, we enumerate these possibilities:

Imdeq({(�,Q)}) =

{ (�′,Q′) : Q′ ∈

⎧⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎩

e1 . . . ep |ep+1ep+2 . . . ez−1

e1 . . . ep | ep ep+1ep+2 . . . ez−1

e1 . . . ep |ep+1 ep ep+2 . . . ez−1

...e1 . . . ep |ep+1ep+2 . . . ez−1 ep

⎫⎪⎪⎪⎪⎪⎪⎬

⎪⎪⎪⎪⎪⎪⎭

}

The first case for Q′applies if there are no occurrences of ep in the suffix

after the dequeue. The remaining cases enumerate possible positions of the firstoccurrence of ep (boxed, for readability) in the suffix after the dequeue. The costof this enumeration is linear in the length of the suffix of the abstract queue.

Since our list abstraction maintains the first occurrence of each event, thesemantics of defer (see the Discussion in Sect. 4.1) can be implemented abstractlywithout loss of information (not shown above, for simplicity).

5 Abstract Queue Invariant Checking

The abstract transformer function in Sect. 4 is used to decide whether sequence(Rk)∞

k=0 has converged. Being an overapproximation, the function may gener-ate spurious states: they are not reachable, i.e. no concretization of them is.Unfortunate for us, spurious abstract states always prevent convergence.

A key empirical observation is that concretizations of spurious abstract statesoften violate simple machine invariants, which can be proved from the perspec-tive of a single machine, while collapsing all other machines into a nondetermin-istically behaving environment. Consider our example from Sect. 2 for p = 0. Itfails to converge since Line 7 generates an abstract state s that features a Doneevent followed by a Prime event in the Receiver’s queue. A light-weight staticanalysis proves that the Sender’s machine permits no path from the send Doneto the send Prime statement. Since every concretization of s features a Donefollowed by a Prime event, the abstract state s is spurious and can be eliminated.

396 P. Liu et al.

Our tool assists users in discovering candidate machine invariants, by facili-tating the inspection of states in T \Rk (which foil the test in Line 8). We dis-charge such invariants separately, via a simple sequential model-check or staticanalysis. In the section we focus on the more interesting question of how to usethem. Formally, suppose the P program comes with a queue invariant I, i.e. aninvariant property of concrete queues. The abstract invariant checking problemis to decide, for a given abstract queue Q, whether every concretization of Qviolates I; in this case, and this case only, an abstract state containing Q can beeliminated. In the following we define a language QuTL for specifying concretequeue invariants (5.1), and then show how checking an abstract queue against aQuTL invariant can be efficiently solved as a model checking problem (5.2).

5.1 Queue Temporal Logic (QuTL)

Our logic to express invariant properties of queues is a form of first-order linear-time temporal logic. This choice is motivated by the logic’s ability to constrainthe order (via temporal operators) and multiplicity of queue events, the latter viarelational operators that express conditions on the number of event occurrences.

Queue Relational Expressions (QuRelE). These are of the form #e c, wheree ∈ Σ (queue alphabet), ∈ {<,≤,=,≥, >}, and c ∈ N is a literal naturalnumber. The value of a QuRelE is defined as the Boolean

V (#e c) = |{i ∈ N : 0 ≤ i < |Q| ∧ Q[i] = e}| c (6)

where |·| denotes set cardinality and is interpreted as the standard integer arith-metic relational operator. In the following we write Q[i →] (read: “Q from i”)for the queue obtained from queue Q by dropping the first i events.

Definition 6 (Syntax of QuTL). The following are QuTL formulas:

– false and true.– e, for e ∈ Σ.– E, for a queue relational expression E.– Xφ, Fφ, Gφ, for a QuTL formula φ.

The set QuTL is the Boolean closure of the above set of formulas.

Definition 7 (Concrete semantics of QuTL). Concrete queue Q satisfiesQuTL formula φ, written Q |= φ, depending on the form of φ as follows.

– Q |= true.– for e ∈ Σ, Q |= e iff |Q| > 0 and Q[0] = e.– for a queue relational expression E, Q |= E iff V (E) = true.– Q |= Xφ iff |Q| > 0 and Q[1 →] |= φ.– Q |= Fφ iff there exists i ∈ N such that 0 ≤ i < |Q| and Q[i →] |= φ.– Q |= Gφ iff for all i ∈ N such that 0 ≤ i < |Q|, Q[i →] |= φ.

Verifying AED Programs Using Partial Abstract Transformers 397

Satisfaction of Boolean combinations is defined as usual, e.g. Q |= ¬φ iff Q �|= φ.No other pair (Q, φ) satisfies Q |= φ.

For instance, formula #e ≤ 3 is true exactly for queues containing at most3 e’s, and formula G(#e ≥ 1) is true of Q iff Q is empty or its final event (!) is e.See App. B of [23] for more examples.

Algorithmically checking whether a concrete queue Q satisfies a QuTL formulaφ is straightforward, since Q is of fixed size and straight-line. The situation is differ-ent with abstract queues. Our motivation here is to declare that an abstract queueQ violates a formula φ if all its concretizations (Definition 3) do: under this condi-tion, if φ is an invariant, we know Q is not reachable. Equivalently:

Definition 8 (Abstract semantics of QuTL). Abstract queue Q satisfiesQuTL formula φ, written Q |=p φ, if some concretization of Q satisfies φ:

Q |=p φ := ∃Q ∈ γp(Q) : Q |= φ. (7)

For example, we have bb |ba |=2 G(a ⇒ G¬b) since for instance bbba ∈ γ2(bb |ba) satisfies the formula. See App. B of [23] for more examples.

s0 s1 s2

s2|3

s3

s3|4

s4

s4|5

s5

{b} {b} {a}

{a}

{b}

{a, b}

{c} { }

{a, b, c}

ε

Fig. 2. LTS for Q = bb | abc (p = 2), with label sets written below each state. Theblue and red parts encode the concretizations of the prefix and suffix of Q, resp. (Colorfigure online)

5.2 Abstract QuTL Model Checking

A QuTL constraint is a QuTL formula without Boolean connectives. We firstdescribe how to model check against QuTL constraints, and come back toBoolean connectives at the end of Sect. 5.2.

Model checking an abstract queue Q against a QuTL constraint φ, i.e. check-ing whether some concretization of Q satisfies φ, can be reduced to a standardmodel checking problem over a labeled transition system (LTS) M = (S, T, L)with states S, transitions T , and a labeling function L : S → 2Σ ∪ {ε}. The LTScharacterizes the concretization γp(Q) of Q, as illustrated in Fig. 2 using anexample: the concretizations of Q are formed from the regular-expression tracesgenerated by paths of Q’s LTS that end in the double-circled green state.

398 P. Liu et al.

The straightforward construction of the LTS M is formalized in App. A.2of [23]. Its size is linear in |Q|: |S| = p+2×(|Q|−p)+1 and |T | = p+4×(|Q|−p).

We call a path through M complete if it ends in the right-most state sz of M(green in Fig. 2). The labeling function extends to paths via L(si → . . . → sj) =L(si) · . . . · L(sj). This gives rise to the following characterization of γp(Q):

Lemma 9. Given abstract queue Q over alphabet Σ, let M = (S, T, L) beits LTS.

γp(Q) =⋃

{L(L(π)) ∈ 2Σ∗ | π is a complete path from s0 in M}. (8)

We say path π satisfies φ, written π |=p φ, if there exists Q ∈ L(L(π))s.t. Q |= φ.

Corollary 10. Let Q and M as in Lemma 9, and φ a QuTL constraint. Thenthe following are equivalent.

1. Q |=p φ.2. There exists a complete path π from s0 in M such that π |=p φ.

Proof. immediate from Definition 8 and Lemma 9. ��Given an abstract queue Q, its LTS M , and a QuTL constraint φ, our abstract

queue model checking algorithm is based on Corollary 10: we need to find acomplete path from s0 in M that satisfies φ. This is similar to standard modelchecking against existential temporal logics like ECTL, with two particularities:

First, paths must be complete. This poses no difficulty, as completeness issuffix-closed: a path ends in sz iff any suffix does. This implies that temporalreductions on QuTL constraints work like in standard temporal logics. For exam-ple: there exists a complete path π from s0 in M such that π |=p Xφ iff thereexists a complete path π′ from some successor s1 of s0 such that π′ |=p φ.

Second, we have domain-specific atomic (non-temporal) propositions. Theseare accommodated as follows, for an arbitrary start state s ∈ S:

∃π : π from s complete and π |=p e (for e ∈ Σ):this is true iff e ∈ L(s), as is immediate from the Q |= e case in Definition 7.∃π : π from s complete and π |=p #e > c (for e ∈ Σ, c ∈ N): this is trueiff

– the number of states reachable from s labeled e is greater than c, or– there exists a state reachable from s labeled with e that has a self-loop.

The other relational expressions #e c are checked similarly. ��

Boolean Connectives. Let now φ be a full-fledged QuTL formula. We first bringit into negation normal form, by pushing negations inside, exploiting the usualdualities ¬X = X¬, ¬F = G¬, and ¬G = F¬. The subset ∈ {<,≤,≥, >} ofthe queue relational expressions is semantically closed under negation; “¬=” isreplaced by “> ∨ <”. A path π from s satisfies ¬e (for e ∈ Σ) iff L(s) �= {e}:this condition states that either L(s) = ε, or there exists some label other thane in L(s), so the existential property ¬e holds.

Verifying AED Programs Using Partial Abstract Transformers 399

Disjunctions are handled by distributing |=p over them: Q |=p φ1 ∨ φ2 iffQ |=p φ1 ∨ Q |=p φ2. What remains are conjunctions. The existential flavorof |=p implies that |=p does not distribute over them; see Ex. 13 in App. B.1of [23]. Suppose we ignore this and replace a check of the form Q |=p φ1 ∧ φ2

by the weaker check Q |=p φ1 ∧ Q |=p φ2, which may produce false positives.Now consider how we use these results: if Q |=p φ holds, we decide to keep thestate containing the abstract queue. False positives during abstract model checkstherefore may create extra work, but do not introduce unsoundness. In summary,our abstract model checking algorithm soundly approximates conjunctions, butremains exact for the purely disjunctive fragment of QuTL.

Table 1. Results: #M : #P machines; Loc: #lines of code; Safe? = ✓: property holds;p: minimum unabstracted prefix for required convergence; kmax: point of convergence orexposed bugs (– means divergence); Time: runtime (sec); Mem.: memory usage (Mb.).

ID/ProgramProgram Features Pat

#M Loc Safe? p kmax T ime Mem.

1/German-1 3 242 4 − TO −2/German-2 4 244 4 − TO −3/TokenRing-buggy 6 164 0 2 241.44 35.96

4/TokenRing-fixed 6 164 0 4 1849.25 130.87

5/FailureDetector 6 229 0 4 183.99 12.38

6/OSR 5 378 0 5 77.92 44.86

7/openWSN 6 294 2 5 2574.25 376.29

ID/ProgramProgram Features Pat

#M Loc Safe? p kmax T ime Mem.

8/Failover 4 132 0 2 2.91 8.56

9/MaxInstances 4 79 0 3 0.14 0.56

10/PingPong 2 76 0 2 0.06 0.43

11/BoundedAsync 4 96 0 5 203.39 29.32

12/PingFlood 2 52 4 5 0.11 0.43

13/Elevator-buggy 4 270 0 1 1.29 5.23

14/Elevator-fixed 4 271 0 4 49.23 45.36

6 Empirical Evaluation

We implemented the proposed approaches in C# atop the bounded modelchecker PTester [11], an analysis tool for P programs. PTester employs a boundedexploration strategy similar to Zing [4]. We denote by Pat the implementationof Algorithm 1, and by Pat+I the version with queue invariants (“Pat+ Invari-ants”). A detailed introduction to tool design and implementation is availableonline [22].

Experimental Goals. We evaluate the approaches against the following questions:

Q1. Is Pat effective: does it converge for many programs? for what valuesof k?Q2. What is the impact of the QuTL invariant checking?

Experimental Setup. We collected a set of P programs (available online [22]);most have been used in previous publications:

1–5: protocols implemented in P: the German Cache Coherence protocol withdifferent number of clients (1–2) [11], a buggy version of a token ringprotocol [11], and a fixed version (3–4), and a failure detector protocolfrom [25] (5).

400 P. Liu et al.

6–7: two device drivers where OSR is used for testing USB devices [10].8–14: miscellaneous: 8–10 [25], 11 [15], 12 is the example from Sect. 2, 13–14

are the buggy and fixed versions of an Elevator controller [11].

We conduct two types of experiments: (i) we run Pat on each benchmark toempirically answer Q1; (ii) we run Pat+I on the examples which fail to verifyin (i) to answer Q2. All experiments are performed on a 2.80 GHz Intel(R)Core(TM) i7-7600 machine with 8 GB memory, running 64-bit Windows 10.The timeout is set to 3600 s (1h); the memory limit to 4 GB.

Results. Table 1 shows that Pat converges on almost all safe examples (andsuccessfully exposes the bugs for unsafe ones). Second, in most cases, the kmax

where convergence was detected is small, 5 or less. This is what enables the useof this technique in practice: the exploration space grows fast with k, so earlyconvergence is critical. Note that kmax is guaranteed to be the smallest value forwhich the respective example converges. If convergent, the verification succeededfully automatically: the queue abstraction prefix parameter p is incremented ina loop whenever the current value of p caused a spurious abstract state.

The German protocol does not converge in reasonable time. In this case, werequest minimal manual assistance from the designer. Our tool inspects spuriousabstract states, compares them to actually reached abstract states, and suggestscandidate invariants to exclude them. We describe the process of invariant dis-covery, and why and how they are easy to prove, in [22].

The following table shows the invariants that make the German protocolconverge, and the resulting times and memory consumption.

Program p kmax Time Mem. Invariant

German-1 0 4 15.65 45.65 Server: #req excl ≤ 1 ∧ #req share ≤ 1

German-2 0 4 629.43 284.75 Client: #ask excl ≤ 1 ∧ #ask share ≤ 1

The invariant states that there is always at most one exclusive request andat most one shared request in the Server or Client machine’s queue.

Performance Evaluation. We finally consider the following question: To performfull verification, how much overhead does Pat incur compared to PTester? Weiteratively run PTester with a queue bound from 1 up to kmax (from Table 1).

0.01

0.1

1

10

100

1000

3 4 5 6 7 8 9 10 11 12 13 14

Tim

e (S

ec.)

Benchmark ID

PTester PATThe figure on the rightcompares the running timesof Pat and PTester. Weobserve that the difference issmall, in all cases, suggestingthat turning PTester into afull verifier comes with little

Verifying AED Programs Using Partial Abstract Transformers 401

extra cost. Therefore, as for improving Pat’s scalability, the focus should beon the efficiency of the Rk computation (Line 3 in Algorithm 1). Techniquesthat lend themselves here are partial order reduction [2,28] or symmetry reduc-tion [29]. Note that our proposed approach is orthogonal to how these sets arecomputed.

7 Related Work

Automatic verification for asynchronous event-driven programs communicatingvia unbounded FIFO queues is undecidable [8], even when the agents are finite-state machines. To sidestep the undecidability, various remedies are proposed.One is to underapproximate program behaviors using various bounding tech-niques; examples include depth- [17] and context-bounded analysis [19,20,26],delay-bounding [13], bounded asynchrony [15], preemption-bounding [24], andphase-bounded analysis [3,6]. It has been shown that most of these boundingtechniques admit a decidable model checking problem [19,20,26] and thus havebeen successfully used in practice for finding bugs.

Gall et al. proposed an abstract interpretation of FIFO queues in terms ofregular languages [16]. While our works share some basic insights about tamingqueues, the differences are fundamental: our abstract domain is finite, guaran-teeing convergence of our sequence. In [16] the abstract domain is infinite; theypropose a widening operator for fixpoint computation. More critically, we usethe abstract domain only for convergence detection; the set of reachable statesreturned is in the end exact. As a result, we can prove and refute properties butmay not terminate; [16] is inexact and cannot refute but always returns.

Several partial verification approaches for asynchronous message-passing pro-grams have been presented recently [5,7,10]. In [5], Bakst et al. propose canon-ical sequentialization, which avoids exploring all interleavings by sequentializingconcurrent programs. Desai et al. [10] propose an alternative way, namely by pri-oritizing receive actions over send actions. The approach is complete in the sensethat it is able to construct almost-synchronous invariants that cover all reach-able local states and hence suffice to prove local assertions. Similarly, Bouajjaniet al. [7] propose an iterative analysis that bounds send actions in each interac-tion phase. It approaches the completeness by checking a program’s synchroniz-ability under the bounds. Similar to our work, the above three works are soundbut incomplete. An experimental comparison against the techniques reported in[7,10] fails due to the unavailability of a tool that implements them. While toolsimplementing these techniques are not available [7,10], a comparison based onwhat is reported in the papers suggests that our approach is competitive in bothperformance and precision.

Our approach can be categorized as a cutoff detection technique [1,12,14,28].Cutoffs are, however, typically determined statically, often leaving them too largefor practical verification. Aiming at minimal cutoffs, our work is closer in natureto earlier dynamic strategies [18,21], which targeted different forms of concurrentprograms. The generator technique proposed in [21] is unlikely to work for Pprograms, due to the large local state space of machines.

402 P. Liu et al.

8 Conclusion

We have presented a method to verify safety properties of asynchronous event-driven programs of agents communicating via unbounded queues. Our approachis sound but incomplete: it can both prove (or, by encountering bugs, disprove)such properties but may not terminate. We empirically evaluate our method ona collection of P programs. Our experimental results showcase our method cansuccessfully prove the correctness of programs; such proof is achieved with littleextra resource costs compared to plain state exploration. Future work includesan extension to P programs with other sources of unboundedness than the queuelength (e.g. messages with integer payloads).

Acknowledgments. We thank Dr. Vijay D’Silva (Google, Inc.), for enlightening dis-cussions about partial abstract transformers.

References

1. Abdulla, A.P., Haziza, F., Holık, L.: All for the price of few (parameterized verifi-cation through view abstraction). In: VMCAI, pp. 476–495 (2013)

2. Abdulla, P., Aronis, S., Jonsson, B., Sagonas, K.: Optimal dynamic partial orderreduction. In: POPL, pp. 373–384 (2014)

3. Abdulla, P.A., Atig, M.F., Cederberg, J.: Analysis of message passing programsusing SMT-solvers. In: Van Hung, D., Ogawa, M. (eds.) ATVA 2013. LNCS, vol.8172, pp. 272–286. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02444-8 20

4. Andrews, T., Qadeer, S., Rajamani, S.K., Rehof, J., Xie, Y.: Zing: a model checkerfor concurrent software. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol.3114, pp. 484–487. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27813-9 42

5. Bakst, A., Gleissenthall, K.v., Kici, R.G., Jhala, R.: Verifying distributed programsvia canonical sequentialization. PACMPL 1(OOPSLA), 110:1–110:27 (2017)

6. Bouajjani, A., Emmi, M.: Bounded phase analysis of message-passing programs.Int. J. Softw. Tools Technol. Transf. 16(2), 127–146 (2014)

7. Bouajjani, A., Enea, C., Ji, K., Qadeer, S.: On the completeness of verifying mes-sage passing programs under bounded asynchrony. In: Chockler, H., Weissenbacher,G. (eds.) CAV 2018. LNCS, vol. 10982, pp. 372–391. Springer, Cham (2018).https://doi.org/10.1007/978-3-319-96142-2 23

8. Brand, D., Zafiropulo, P.: On communicating finite-state machines. J. ACM 30(2),323–342 (1983)

9. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In:POPL, pp. 269–282 (1979)

10. Desai, A., Garg, P., Madhusudan, P.: Natural proofs for asynchronous programsusing almost-synchronous reductions. In: OOPSLA, pp. 709–725 (2014)

11. Desai, A., Gupta, V., Jackson, E., Qadeer, S., Rajamani, S., Zufferey, D.: P: safeasynchronous event-driven programming. In: PLDI, pp. 321–332 (2013)

12. Emerson, E.A., Kahlon, V.: Reducing model checking of the many to the few. In:McAllester, D. (ed.) CADE 2000. LNCS (LNAI), vol. 1831, pp. 236–254. Springer,Heidelberg (2000). https://doi.org/10.1007/10721959 19

Verifying AED Programs Using Partial Abstract Transformers 403

13. Emmi, M., Qadeer, S., Rakamaric, Z.: Delay-bounded scheduling. In: POPL, pp.411–422 (2011)

14. Farzan, A., Kincaid, Z., Podelski, A.: Proof spaces for unbounded parallelism. In:POPL, pp. 407–420 (2015)

15. Fisher, J., Henzinger, T.A., Mateescu, M., Piterman, N.: Bounded asynchrony:concurrency for modeling cell-cell interactions. In: Fisher, J. (ed.) FMSB 2008.LNCS, vol. 5054, pp. 17–32. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68413-8 2

16. Le Gall, T., Jeannet, B., Jeron, T.: Verification of communication protocols usingabstract interpretation of FIFO queues. In: Johnson, M., Vene, V. (eds.) AMAST2006. LNCS, vol. 4019, pp. 204–219. Springer, Heidelberg (2006). https://doi.org/10.1007/11784180 17

17. Godefroid, P.: Model checking for programming languages using VeriSoft. In:POPL, pp. 174–186 (1997)

18. Kaiser, A., Kroening, D., Wahl, T.: Dynamic cutoff detection in parameterizedconcurrent programs. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS,vol. 6174, pp. 645–659. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14295-6 55

19. La Torre, S., Parthasarathy, M., Parlato, G.: Analyzing recursive programs usinga fixed-point calculus. In: PLDI, pp. 211–222 (2009)

20. Lal, A., Reps, T.: Reducing concurrent analysis under a context bound to sequentialanalysis. Form. Methods Syst. Des. 35(1), 73–97 (2009)

21. Liu, P., Wahl, T.: CUBA: interprocedural context-unbounded analysis of concur-rent programs. In: PLDI, pp. 105–119 (2018)

22. Liu, P., Wahl, T., Lal, A.: (2019). www.khoury.northeastern.edu/home/lpzun/quba

23. Liu, P., Wahl, T., Lal, A.: Verifying asynchronous event-driven programs usingpartial abstract transformers (extended manuscript). CoRR abs/1905.09996 (2019)

24. Musuvathi, M., Qadeer, S.: Iterative context bounding for systematic testing ofmultithreaded programs. In: PLDI, pp. 446–455 (2007)

25. P-GitHub: The P programming langugage (2019). https://github.com/p-org/P26. Qadeer, S., Rehof, J.: Context-bounded model checking of concurrent software.

In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 93–107.Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31980-1 7

27. Reps, T., Sagiv, M., Yorsh, G.: Symbolic implementation of the best transformer.In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266.Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24622-0 21

28. Sousa, M., Rodrıguez, C., D’Silva, V., Kroening, D.: Abstract interpretation withunfoldings. In: Majumdar, R., Kuncak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp.197–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9 11

29. Wahl, T., Donaldson, A.: Replication and abstraction: symmetry in automatedformal verification. Symmetry 2(2), 799–847 (2010)

404 P. Liu et al.

Open Access This chapter is licensed under the terms of the Creative CommonsAttribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),which permits use, sharing, adaptation, distribution and reproduction in any mediumor format, as long as you give appropriate credit to the original author(s) and thesource, provide a link to the Creative Commons license and indicate if changes weremade.

The images or other third party material in this chapter are included in thechapter’s Creative Commons license, unless indicated otherwise in a credit line to thematerial. If material is not included in the chapter’s Creative Commons license andyour intended use is not permitted by statutory regulation or exceeds the permitteduse, you will need to obtain permission directly from the copyright holder.